UK.gov: Firms can't fondle your smart meter privates...

Third-party companies will not be able to access data recorded in consumers' smart meters unless consumers choose to let them see it, the Government has said.

The Department of Energy and Climate Change (DECC) said consumers should be able to control who accesses their smart meter consumption data other than in select circumstances. It said consumers could share the information with "switching sites" or "energy services companies" in order to obtain better tariffs.

"Consumers should be able easily to access their own smart metering energy consumption data, and share it with third parties, should they choose to," DECC said in its consultation (97-page/582KB PDF) on data access and privacy for its smart meter implementation programme. "This will enable consumers to use their data to reduce energy consumption and save money on bills."

"Research highlights that consumers are increasingly aware that their personal data has a commercial value, that they want to have control over such data, and that they would consider sharing their data if it is clear that they will derive benefit from this," it said.

Safeguards will be put in place to verify the identity of the person where permission has been given to third parties to access the consumption data from the Data and Communications Company (DCC). The DCC is to be established to provide communication services to and from smart meters.

"Where consumers give third parties permission to access their energy consumption data remotely via the Data and Communications Company (DCC), the Government proposes that arrangements should be put in place to protect consumers," DECC said. "In particular, the Government is proposing to use the Smart Energy Code to ensure that third parties take steps to verify that the request for third party services has come from the individual living in the premises in question; properly obtain consent from consumers to access their data; and provide annual reminders to consumers about the data that is being collected."

Under the DECC plans energy suppliers will be able to access monthly energy consumption data in order to bill customers or in order to fulfil "any statutory requirement or licence obligation" without having to ask customers' permission. The suppliers will also have access to daily energy consumption data "for any purpose except marketing" but there must be a "clear opportunity" for consumers to opt-out of that collection, it said.

Smart metering technology is due to be installed across the UK from 2014 with every UK household expected to have the technology by 2019. DECC has estimated that the programme, which will involve replacing around 53 million existing gas and electricity meters, will cost approximately £11.7 billion.

Smart metering enables a two-way flow of information that can deliver real-time information about energy consumption and demand for energy to suppliers and network operators. The Government has said smart metering will help to slash unnecessary energy use, reduce emissions and cut consumers' energy bills.

DECC said that suppliers would generally not be allowed to access customers' "half-hourly energy consumption data, or to use energy consumption data for marketing purposes" without obtaining those individuals' "explicit (opt-in) consent"

"There would be some exceptions to this basic framework, for example to allow half-hourly energy consumption data to be used for the purposes of approved trials, provided that the consumer had the opportunity to opt out of the trial," it said.

The DECC has in principle agreed that energy distribution network operators can have access to half-hourly energy consumption data so that those operators can develop and maintain "efficient, co-ordinated and economical systems for the distribution of electricity and gas". However, the plans are subject to the approval of proposals the operators are due to draft over how this data could be "aggregated" in order to prevent individual household data from be identified.

"Before giving such access to network operators, the Government is proposing that they should be required to develop and submit for approval plans detailing how privacy concerns would be addressed and what the data would be used for," DECC said. "The Government is seeking views on what the arrangements should be in circumstances where network operators have not submitted such plans or they have not been approved. One option would be to apply the same basic framework for access to data as applies to suppliers, although the Government recognises that there may be important practical issues with this approach that would need further consideration."

There have been concerns that smart meter data can reveal intrusive details about individuals' lives.

Energy law expert Chris Martin of Pinsent Masons, the law firm behind Out-Law.com, previously said that data collected through smart metering was very granular in nature. He said putting “technical security measures” in place to prevent smart meter data being inappropriately accessed is vital to the successful operation of the technology.

"The data can reveal much about a household, such as the make and model of their TV, the times during which a house is occupied and the number of people staying in a household," Martin said. "This information is useful to energy suppliers but it is also potentially valuable to a whole host of other organisations too."

"Robust technical security measures will need to be in place, not only within the smart metering system, but also on the systems and networks of any third parties who are given the right to access and use smart metering data," he said. "Any specific smart metering privacy and data security requirements implemented by law or regulation in the UK will sit alongside the existing data protection and privacy laws that are administered by the UK Information Commissioner. These laws will apply to the collection and use of data, including personal data, using smart meters."

Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, previously told Out-Law.com that the Government's smart meter plans were "set to become another public sector IT disaster".

Hack attack threat

In a joint paper, Anderson, and fellow academic Shailendra Fuloria, previously outlined (6-page/119KB PDF) what they believe is a "strategic vulnerability" in how smart metering operates. They said that if hackers were able to break into a "head-end" hub where smart metering data might be collated they could cut the supply of energy across "tens of millions of households".

The reliance on software and applets to deliver smart metering successfully also exposes the technology to risks that those aspects of the systems could be hacked and tampered with, Anderson said. The way the 'keys' to this technology work, and who has access to that information, must be openly scrutinised by as many "eyeballs" as possible prior to being introduced to minimise the risk of attack, he said.

"The introduction of hundreds of millions of these meters in North America and Europe over the next ten years, each containing a remotely commanded off switch, remote software upgrade and complex functionality, creates a shocking vulnerability," Anderson said.

"An attacker who takes over the control facility or who takes over the meters directly could create widespread blackouts; a software bug could do the same," he said. "Regulators such as NIST and Ofgem have started to recognise this problem. There are no agreed solutions as yet ... possible strategies include shared control, as used in nuclear command and control; backup keys as used in Microsoft Windows; rate-limiting mechanisms to bound the scale of an attack; and local-override features to mitigate its effects."

Earlier this year two German researchers claimed that they had intercepted information sent between their smart meter devices and the servers of their energy supplier – German company Discovergy. Because the data was unencrypted the researchers said they were able to analyse the information, which they said was sent at two second intervals, and determine intimate details about their energy consumption.

The researchers said the information could be used to establish details such as when houses are occupied, what appliances were being used and even what TV programme was being shown as a result of the traits revealed in the smart meter data associated with the energy used.

The FBI has also expressed concern about smart metering fraud methods, according to computer security expert Brian Krebs. Krebs has claimed to be in possession of an FBI "cyber intelligence bulletin" that states that hackers have been able to change the settings on smart meters to record lower energy consumption than actually occurred. The FBI has also reported that magnets can be used to prevent meters recording "usage" thereby presenting the opportunity for fraudulent activity, according to Krebs' blog.